Recommendation to Protect Your Data in the Future Prof. Dr.-Ing. Tim Güneysu Arbeitsgruppe Technische Informatik / IT-Sicherheit (CEITS) LEARNTEC – Karlsruhe – 27.01.2016
Long-Term Security in the Real World Most IT applications have a long-term security requirements for their data Some of the deployed systems are strictly constrained in memory 5-25 years and computational power > 8 years 5-40 years 10 years 2
Basics on Cryptography • Fundamentals of security are founded on cryptography • Cryptography provides a large variety of security services (such as confidentiality, authentication, integrity, anonymity ,…) • This talk : Towards long-term secure encryption systems O scar B ob A lice X Message x Untrusted Message x Message x Channel 3
Introduction to Symmetric Cryptography O scar B ob A lice ÜOc#2qß$Kqj LEARNTEC ÜOc#2$Kj ÜOc#2$Kj LEARNTEC Untrusted e -1 e Channel k k Secure Channel (?!) Common problem: – How can Alice and Bob securely exchange the shared secret k prior to communication? 4
Asymmetric Cryptography Alternative: Use asymmetric encryption with two key shares ( k public , k private ) O scar B ob A lice %9DKslt3=Öd LEARNTEC %9DKslt3=Öd %9DKslt3=Öd LEARNTEC Untrusted e -1 e Channel k private k public • Fundamental challenge: – Function e must be efficient for evaluation in both directions for all key shares ( k public , k private ) – Inverting e is hard if k private is not present 5
Examples: The Case of RSA and ElGamal RSA Cryptosystem ElGamal Cryptosystem Setup/Parameters Setup/Parameters Choose 𝑜 = 𝑞 𝑟 with p,q prime ∗ Given p prime and generator ∈ 𝑎 𝑞 Pick e with gcd(𝑓, (𝑂)) = 1 and Pick random 𝑏 ∈ 𝑎 𝑞−1 / 0,1 and with 𝑓 𝑒 = 1 𝑛𝑝𝑒 (𝑂) compute 𝑐 = 𝑏 𝑛𝑝𝑒 𝑞 Public key: 𝒍 𝒒𝒗𝒄𝒎𝒋𝒅 = (𝑜, 𝑓) Public key: 𝒍 𝒒𝒗𝒄𝒎𝒋𝒅 = (𝑐, 𝑞) Private key: 𝒍 𝒒𝒔𝒋𝒘𝒃𝒖𝒇 = 𝑒 Private key: 𝒍 𝒒𝒔𝒋𝒘𝒃𝒖𝒇 = 𝑏 RSA encryption for message m Z n * RSA encryption for message m Z n * Encrypt: 𝒅 = 𝒏 𝒇 mod n Encrypt: Pick random 𝑗 ∈ 𝑎 𝑞−1 / 0,1 and Decrypt: 𝒏 = 𝒅 𝒆 mod n compute 𝑢 = 𝑗 𝑛𝑝𝑒 𝑞 Compute 𝑙 = 𝑐 𝑗 𝑛𝑝𝑒 𝑞 Finally: 𝒅 = 𝒏 𝒍 mod n Decrypt: Compute 𝑙 = 𝑢 𝑏 𝑛𝑝𝑒 𝑞 Finally 𝒅 = 𝒏 𝒍 −𝟐 mod n Integer Factorization Problem Discrete Logarithm Problem 6
Security of Practical Cryptographic Primitives • Cryptosystems must combine security and efficiency • Embedded devices usually deploy standardized cryptography – Symmetric encryption: Advanced Encryption Standard – Asymmetric encryption: RSA (Factorization Problem), ElGamal or Elliptic Curve Cryptography (Discrete Logarithm Problem) • No proofs for the hardness of any of these cryptographic systems • Thus: Select security parameters to resist best known cryptanalytic attack(s) 7
Best Attacks on Standard Cryptosystems • Attacks on symmetric cryptosystems – Modern ciphers employ well-understood principles – Best attacks on solid symmetric ciphers is exhaustive key search – Rather easy to tweak for long-term security by scaling key sizes • Attacks on asymmetric cryptosystems – Almost all cryptosystems rely on the two problems • Factorization problem (RSA) • Discrete Logarithm problem (DLOG) – Best known attacks with subexponential complexity • General Number Field Sieve (on RSA) • Index Calculus (on DLOG) – Still, long-term security parameters with no real security guarantee 8
Key Size Recommendations • Security parameters assuming today‘s algorithmic knowledge and computing capabilities of an advanced attacker Source: ECRYPT II Yearly Key Size Report (symmetric) 2011-2012 9
Public-Key Cryptography and Long-Term Security • All currently deployed asymmetric cryptosystems (RSA, ElGamal, ECC) will become obsolete as soon as powerful quantum computers exist (cf. Shor 1994) • Note that RSA & DLOG cryptosystems are closely related • Even without quantum computers, diversity of cryptosystems in the cryptographic basket is essential 10
Alternatives for Public-Key Cryptography (I) • Solutions for alternative public-key cryptosystems are already required today • Ideally, with security reductions based on NP-hard problems • No polytime attacks on quantum computers (such as Grover‘s / Shor‘s alg.) • Efficiency in implementations comparable to currently deployed systems 11
Alternatives for Public-Key Cryptography (II) • Four main branches of post-quantum crypto: – Code-based – Hash-based – Multivariate-quadratic – Lattice-based • Support public-key encryption and/or signature schemes 12
EU Horizon 2020: Post-Quantum Cryptography (PQCRYPTO) • Project Goals – Identification and (re-)design of alternative cryptosystems resisting attacks from quantum computers – Development of efficient implementations as drop-in replacements for today‘s cryptography • Project Timeframe – March 2015 – Feb 2018 • Project Consortium – Coordinator: TU Eindhoven (Tanja Lange) – 11 Partners, 1 Associated (Taiwan) 13
Project Work Packages • WP1: Post-quantum cryptography for small devices • Leader: Tim Güneysu (Uni Bremen) • Co-leader: Peter Schwabe (RU Nijmegen) • WP2: Post-quantum cryptography for the Internet • Leader: Daniel J. Bernstein (TU Eindhoven) • Co-leader: Bart Preneel (KU Leuven) • WP3: Post-quantum cryptography for the cloud • Leader: Nicolas Sendrier (INRIA Paris) • Co-leader: Lars Knudsen (DTU Kopenhagen) 14
PQCRYPTO: Partners 15
Initial Recommendations (as of March 2015) • Conservative recommendations – Symmetric cryptography • Block ciphers : AES with 256-bit key [1] • Stream ciphers : Salsa20 with 256-bit key [2] – Asymmetric cryptography • Code-based encryption : McEliece Encryption with binary Goppa codes using length n = 6960, dimension k = 5413 and adding t = 119 errors [3] • Hash-based digital signatures : XMSS with 256-bit parameter set [4] or SPHINCS-256 [5] • Further more experimental choices are under investigation 16
References [1] Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, 2002 [2] Daniel J. Bernstein. The Salsa20 Family of Stream Ciphers. In Matthew J. B. Robshaw and Olivier Billet, editors, New Stream Cipher Designs - The eSTREAM Finalists, volume 4986 of Lecture Notes in Computer Science, pages 84 – 97. Springer, 2008. [3] Daniel J. Bernstein, Tung Chou, and Peter Schwabe. McBits: Fast Constant-Time CodeBased Cryptography. In Guido Bertoni and Jean-Sebastien Coron, editors, Cryptographic Hardware and Embedded Systems - CHES 2013 - 15th International Workshop, Santa Barbara, CA, USA, August 20-23, 2013. Proceedings, volume 8086 of Lecture Notes in Computer Science, pages 250 – 272. Springer, 2013. [4] Johannes A. Buchmann, Erik Dahmen, and Andreas Hülsing. XMSS - A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions. In BoYin Yang, editor, Post-Quantum Cryptography - 4th International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29 - December 2, 2011. Proceedings, volume 7071 of Lecture Notes in Computer Science, pages 117 – 129. Springer, 2011. [5] Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, and Zooko WilcoxO’Hearn . SPHINCS: Practical Stateless Hash-Based Signatures. In Elisabeth Oswald and Marc Fischlin, editors, Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I, volume 9056 of Lecture Notes in Computer Science, pages 368 – 397. Springer, 2015. 17
Recommendation to Protect Your Data in the Future Prof. Dr.-Ing. Tim Güneysu Arbeitsgruppe Technische Informatik / IT-Sicherheit (CEITS) LEARNTEC – Karlsruhe – 27.01.2016 Thank you! Any Questions?
Recommend
More recommend
